Articles on: Workspace Configuration

Single Sign-on

🔑 Single Sign-On (SSO) with SAML

"One login, every workspace."
Enhance security, simplify access, and streamline authentication across Brainframe GRC.


Enabling Single Sign-On (SSO) with Security Assertion Markup Language (SAML) in Brainframe GRCstrengthens security, improves user experience, and reduces administrative overhead.



1️⃣ Key Benefits


  • 🛡️ Enhanced Security – Fewer passwords means smaller attack surfaces and stronger credential enforcement.
  • 🚪 Improved User Experience – One login unlocks access to multiple applications.
  • 🗂️ Simplified Credential Management – Centralized control makes enforcing policies easier.
  • 💡 Reduced IT Overhead – Cuts down password reset requests.
  • 🌐 Interoperability & Flexibility – SAML works with a wide variety of platforms and services.
  • 📜 Audit & Compliance – Centralized logging improves audit trails and compliance reporting.



2️⃣ Configuration


Only workspace administrators can configure SSO via the Authentication menu in the Workspace Settings.



Steps to Configure


  1. Open the Authentication menu in the Settings page.
  2. Enable SSO with SAML by ticking the checkbox.
  3. In your Identity Provider (IdP) (Okta, Azure AD, JumpCloud, etc.), create a new SAML application with:
  • Single Sign-On URL (ACL) – Endpoint for IdP ↔ Brainframe communication.
  • Audience URI (SP Entity ID) – Unique identifier of your Brainframe workspace.
  • User attribute mapping for account auto-provisioning:
    • firstname
    • lastname
    • WorkspaceId (case-sensitive – copy from Brainframe GRC settings)
  1. IdP SSO Login URL – Generated by your IdP; tells Brainframe GRC where to redirect users.
  2. IdP Application Certificate – Allows Brainframe GRC to verify signed SAML claims.
  3. Link you can put in your intranet, allowing users to directly log into your workspace with only a button "Login with SSO" that opens and verifies the login of your IdP


INFO: SSO SAML sessions expire after 8 hours of inactivity on Brainframe GRC to stay aligned with IdP deactivation.


ATTENTION: Users logged in via SSO can only switch between workspaces that share the same IdP configuration.



3️⃣ Automatic User Creation & Rights


  • 👤 Any user assigned in the IdP can log into Brainframe.
  • If a user does not exist, Brainframe auto-creates their account with no admin rights, and access limited to their INBOX folder.
  • 🔐 Additional folder access must be granted via folder permissions.



🎯 Visual Checklist


  • [x] Admin opened Workspace Settings → Authentication
  • [x] Enabled SSO with SAML
  • [ ] Configured IdP SAML application (SSO URL, Entity ID, attributes)
  • [ ] Added Login URL & Certificate in Brainframe
  • [ ] Tested login with assigned users
  • [ ] Verified access rights and folder permissions


Updated on: 05/09/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!